Cyber threat the No 1 item on the risk registers of SA’s leading listed companies


 
Given the growing number of cyber breach incidents reported in South Africa over the past 12 months, it’s no surprise that cyber breach concerns have overtaken regulatory risk as the number one concern for risk officers. This is a key finding in Aprio Credence’s latest annual review of JSE Top 40 companies’ published risk statements.

 

According to the review, which is based on research into the risk statements in the companies’ latest integrated reports, 86% of the JSE Top 40 enterprises say that cyber-attacks and data breaches are a top tier risk concern – while just more than half of the same companies list regulatory and compliance risk as one of their biggest risks going forward.

 

The research findings spanned 72 different categories of risk. There were five new entries into the Top 40 list for 2021, with close to 90% of the companies from the 2020 research project featuring in this year’s review by Aprio Credence.

 

COVID-19 related risks remain a prominent concern on companies’ risk registers for 2021 and beyond, featuring as a top tier risk for seven out of 10 enterprises in the review. Interestingly, only 21% of the JSE Top 40 companies listed the pandemic as a primary risk in their integrated reports published 12 months ago.

 

Based on the latest integrated reports, the five most prevalent concerns for C-suite executives around South Africa appear to be cyber risk, followed by pandemic-related impacts, the macro-economic environment, operating risks, and marketplace competition and disruption.

 

“It’s encouraging to see that reputation risk is increasingly being viewed by South Africa’s top companies as a standalone risk item alongside the usual suspects such as safety, liquidity, compliance and market risks, with 30% of the Top 40 companies now viewing reputation as a top-tier, separate risk item rather than a risk-of-risks or an outcome of other articulated risks,” says Alan Arguile, partner at Aprio Credence.

 

“Other notable findings include climate-related risk now featuring on the risk radars of more than half of the top companies, compared to a 26% prevalence 12 months ago. As a water-scarce country, access to water resources is also featuring more prominently in the risk reporting, with almost a quarter (22%) of the Top 40 companies now raising this as a concern,” says Arguile.

 

While safety remains a strong concern, particularly for mining companies, this year’s research revealed that identifying, recruiting, and retaining top people and skills, is a more prevalent concern compared to employee safety in terms of top tier articulated risks. 54% of the Top 40 presented human resource challenges as a top tier risk, while just under half the same companies listed safety as a primary risk going forward.

 

At the other end of the spectrum, just one of the sampled companies presented the impact of Brexit as a top tier risk; social media risk also featured on the top tier risk register of a single Top 40 company; and social unrest was raised by three top companies as a primary risk concern in their integrated reports, which were published a few months ahead of the unrest which devastated parts of South Africa in July.

 

To find out more about our 2021 research into Top 40 companies’ articulated risks and how you can practically mitigate the reputational impacts of these risks, please contact Esme Arendse on esme@aprio.co.za or Alan Arguile on alan@aprio.co.za

JSE-top 40 boards 2011-2021: the more things change, the more they stay the same

While black women non-executive directors have a significantly stronger presence on JSE Top 40 company Boards compared to ten years ago, in 2021 white men still rule the roost at South Africa’s biggest listed enterprises. But beyond transformation issues related to race and gender, do Boards in 2021 have the appropriate reputational nous, experience and expertise to help build, sustain and protect a company’s most valuable strategic asset – its reputation?

 

In March 2011, black women non-executive directors (NEDs) made up 15% of the Boards of JSE Top 40 companies. Ten years on, that figure is up 7% to 22% representativity, and not far behind the number of black men NEDs sitting on the Boards of South Africa’s biggest listed enterprises (26%). But despite a 12% decline in representativity since 2011, white men still made up 41% of NEDs at JSE Top 40 companies in March 2021.

 

At 10 of these Top 40 companies (as at March 2021), three-quarters or more of their NEDs were white directors – with one enterprise having a 100% all-white, all-male profile for their seven NEDs.

 

The gender divide within JSE Top 40 Boards in 2021 remains, however, significantly larger than the 4% gap between white and black NED representativity. Two-thirds of the Top 40 Boards consist of male NEDs, with black and white women taking just 33% of the seats at boardroom tables in 2021.

 

At seven of these Top 40 companies (as at March 2021), three-quarters or more of their NEDs were men – with three of these seven enterprises having a 100% all-male profile for their NEDs. This demonstrates that for some of our biggest companies, transformation does not always begin in the boardroom.

 

When Aprio Credence started researching NED demographics this year, we did not set out to focus on black-white, male-female representativity. As a specialist reputational risk and resilience firm, we do annual research into the published risk registers of Top 40 companies on the Johannesburg, London and New York bourses, to assess whether there is alignment between the risks that top companies are identifying and preparing for, versus the actual corporate risks and crises that make the headlines every year.

 

The initial hypothesis, which prompted our March 2021 research into the boards of JSE Top 40 companies was this: do the NEDs of these major corporations have the reputational acumen to adequately identify and mitigate emerging reputational risks in this new world where everyone is a broadcaster, and 30-year CEO careers can end in ignominy through an insensitive or offensive comment or tweet? Is there someone at NED level who has a proven track record in building reputational resilience and can ask the necessary tough questions in the boardroom from a reputational perspective?

 

A number of commentators have described it as “extraordinary” that the former Steinhoff board, with no fewer than six Chartered Accountants (CAs), could have presided over such massive fraud and value destruction. Back in 2017, respected financial journalist Ryk van Niekerk wrote: “How did alleged fraud amounting to R100bn take place on this board’s watch?…A board is ultimately responsible for the affairs of a company and in this case, there has to be aggressive accountability. An even more pertinent question is why did the board not react proactively since the first allegations of transgressions surfaced in 2015?”. This reinforces the point raised earlier, that approximately two-thirds of corporate crises can be categorised as “smouldering”, with warning signs preceding the ultimate reputational implosion.

 

Our research indicates that 29% of the 349 NEDs at JSE Top 40 companies have a CA or equivalent accounting qualification. Engineering qualifications are a distant second , at 16%. Economics, sciences and Law feature in joint third position, each with 11% representativity.

 

We have tremendous respect for the wide-ranging expertise of CAs, engineers, actuaries, economists, scientists – expertise that generally extends well beyond numeracy and so-called left-brained competencies. But as American writer and political commentator Walter Lippman said, “Where all think alike, no one thinks very much.” Or, as one of our clients remarked recently when challenged by one of his NEDs as to why they needed external advisors to assist them navigate through a reputational crisis, “Having a board where everyone thinks alike, looks alike and talks alike, is what got us into trouble in the first place.”

 

Of the 349 NEDs featuring in our recent research, only four had formal qualifications in marketing or corporate communications. Once again, we are not saying such qualifications guarantee reputational nous, but is it not time to look to diversify the experience and expertise of our boards, just as we look to transform the composition of our NEDs from a race and gender perspective?

 

Contact Esme Arendse on esme@aprio.co.za or Alan Arguile on alan@aprio.co.za for more information on Aprio Credence’s service offering and if you wish to arrange an introduction to issue and crisis management, and see how their ARMOUR programme can help you optimally prepare for, respond to, and emerge more resilient from a crisis.

MS Teams, Zoom and other platforms have evolved in recent months – have your online presentation skills kept pace?

If you’re a regular presenter, you would have probably spent the past year of COVID-19 cursing the limitations of video conferencing programmes when it comes to elegantly delivering presentations to a remote audience.

 

The good news is that there is some light at the end of the tunnel. Over the past few months, there have been some significant additions and improvements to programmes such as Microsoft (MS) Teams and Zoom, which should make life easier for you as a “power” presenter, and a lot more interesting and engaging for your audience.

 

Here are three new MS Teams and Zoom features that the Aprio Credence team has stress-tested in our online media training and remotely delivered crisis leadership sessions, and which we believe should feature in every power presenter’s arsenal:

 

1. You now have the option of PowerPoint presenter view in MS Teams which means you can see your notes, the next slides, and any participant chat in real time as you are presenting. This latter feature is a major plus. One of our biggest frustrations with MS Teams is that as soon as you share a PowerPoint presentation, you lose the ability to see the conversation/chat/feedback from participants (unless you use a second device or monitor).

 

This new feature also allows the presenter to temporarily hand control of the PowerPoint deck over to a colleague, for example, so that she/he can advance the slides that they are speaking to without having to ask you to “move to the next slide, please”.

 

There are a couple of significant cautionaries. The feature only works when opening a PowerPoint deck directly from the share tray rather than the desktop or windows apps, and you are essentially working with a PowerPoint “lite” version – so you can’t show video embedded in your presentation, it takes ages to load up a big file, and your audience can review all the slides in your deck before you’ve gotten past the first slide, if you forget to disable this feature. But if you are presenting a relatively small slide deck without any embedded multimedia or complex transitions/animations, we would strongly recommend you try out this new feature.

 

2. Zoom and MS Teams now offer participant polling to enhance audience feedback and participation

You can now set up polling questions before or during your presentation in both Zoom and MS Teams, to get real-time feedback from the attendees on a series of multiple-choice type questions that can be launched at any point in the session. You have the option of making the feedback anonymous; you can also choose not to share feedback with participants.

 

3. Zoom and MS Teams now offer ‘breakout’ rooms for small team sessions within a larger team meeting or presentation

In MS Teams, you can have up to 50 breakout rooms, allocate people to the rooms either automatically or manually, and reallocate breakout rooms if people arrive late to the session or you want to mix up the groups in the breakout rooms. As the organiser, you can also visit different breakout rooms to engage with the participants and call everyone back to the main meeting when you feel it is time to reconvene.

 

It’s important to remember though, that the organiser of meeting is the only person who can control the breakout sessions and has to be present for the duration of the session to manage the breakout room feature.

 

“You’re on mute!”

 

In closing, remember those ‘old faithful’ keyboard shortcuts – you can press and hold your ‘spacebar’ to temporarily unmute yourself and avoid the “Bruce, you’re on mute!” calls of your colleagues as you scramble for the unmute button that always seems to move on your screen. And you can hit F5 in PowerPoint to go directly and quickly into full-screen slide show mode.

 

Aprio Credence delivers client master class programmes for effective video-conferencing sessions and PowerPoint presentations in MS Teams and Zoom. We have delivered more than 100 on-line media training and crisis leadership multimedia sessions since lockdown, using five different video-conferencing programmes, depending on our client’s requirements. Whether it is the best lighting and background solutions or optimising the presentation of multimedia content, we’ve learnt some valuable lessons in remote presenting over the past 12 months. We would love to share these with you to make your remote presentations more effective.

Cyber Crises – downplay the communications response at your peril!

It’s little wonder that cyber security was named as the top concern among South Africa’s business leaders in 2019, and that cyber security features as the most prevalent concern on the risk registers of JSE Top 40 companies.
South African statistics provide devastating evidence of why cyber security is such a major concern to local enterprises. Close to 580 attempted malware attacks every hour; more than R2 billion lost through cyber-attacks in 2019; the third highest number of cyber-crime victims in the world; and an average cost-to-company of a data breach in South Africa standing at $2.14 million, according to IBM.

 

But among the myriad local and international research reports and survey results Aprio Credence has reviewed in recent months – all presenting frightening statistics around the prevalence and financial impact of cyber-attacks around the globe – four pieces of relatively obscure, non-technical data caught our attention as reputational risk and resilience practitioners. We firmly believe they should also be of concern to every C-Suite bench, risk and cyber specialist, and communications professional in South Africa:

 

  • A 2018 Deloitte study of more than 300 board members and over 500 risk management, crisis management and business continuity professionals found that 8 of the 11 lessons learned after a cyber crisis were related to sub-optimal communication;
  • A 2016 survey conducted by MIT Technology Review Custom in partnership with FireEye and Hewlett Packard Enterprise (HPE) Security Services, revealed that 44% of the 225 business and IT leaders polled said their organisations didn’t have cyber security crisis communication plans in place; while another 15 percent didn’t know whether they had such plans; and
  • According to a study conducted by international law firm Morrison & Foerster together with business ethics specialists the Ethisphere Institute, only 34.1 percent of respondents said they felt “very confident” about how useful their crisis plan would be in the event of an actual cyber breach. Of all the major costs and risks associated with a cyber security incident, the potential negative brand and reputation impact, including the erosion of customer trust, could be the most damaging.
  • A study by international communications firm Edelman showed 71% of global consumers would switch providers after a company they rarely used suffered a data breach.

 

These four observations highlight the importance of effective cyber incident playbooks and crisis communication competence and capabilities. They are well aligned with some of the many lessons we have learned providing reputation management counsel to JSE-listed companies and other organisations that have experienced a cyber breach; they reflect some of the insights gleaned from our work facilitating the reputation management elements on dozens of cyber incident simulations across Africa in recent years.
While cyber crises may be driven by technology, at their heart they are very human affairs. Get the stakeholder communications process wrong – a poorly timed piece of communication, transgressing the delicate balance between transparency and strategic disclosure, focusing too much on the breached organisation rather than on the people affected by the incident – and an enterprise can go very quickly from being perceived as the victim of a cyber-attack to being labelled the villain.

 

For a free copy of the full report covering Aprio Credence’s Seven Deadly Sins of Cyber Crisis Communications, e-mail mpho@aprio.co.za.

Crisis communications in the time of COVID-19

A discussion with Esme Arendse, CEO of Aprio Credence, the group’s issues management and crisis communications division 

 

 1. How have companies been dealing with crisis management and crisis preparation during COVID-19?

 

Many companies were left reeling when Lockdown Level 5 was announced. On the other hand, we would argue that some handled and responded to the pandemic very well. It is clear to us at Aprio Credence that the difference lies in a company’s preparation– having the training, tools, policies and people in place to manage and lead through a crisis. 

These are the companies that have invested time and resources in understanding the nature of crisis leadership, have trained people and have policies and infrastructure in place to be able to deal with a crisis .

 

2. Could companies have been better prepared?

 

Very few companies actually have a pandemic listed on their risk registers, even though some have business continuity plans in place for a natural disaster like an earthquake or flood or sustained electricity outages. However, very few were prepared for a complete shutdown and loss of revenue over an extended period and had to re-invent their logistics infrastructure – from servicing clients to basic communications with staff. 

There are companies that can handle crisis communications intuitively, using their in-house teams and generalist PR agencies and we saw this happening in the initial phases. But it takes a crisis of this magnitude for some  companies to acknowledge that certain situations require specialist attention – in the same way that you can’t expect a general practitioner to cure a problem that requires brain surgery. 

Importantly, other crises did not disappear when the pandemic came, which left some companies having to deal with those issues as well as the reality of staff and client infections and fatalities and  a loss of revenue due to the shutdown.

Companies need specialist skills and support when it comes to crisis communications.  Our approach at Aprio Credence is called ARMOUR and consists of six pillars of crisis preparation and reputation resilience:

 

1. Vulnerability and reputation threat assessment

 

2. Preparedness audit: policies and protocols

 

3. Master class training and skills development

 

4. Battle ground stress-testing and crisis simulation

 

5. Close the gap: collateral, systems and early warning capabilities. For example, the development of a series of communication playbooks to deal with all top tier risks.

 

6. Crisis support and counsel – to complement existing resources

 

 

3. Tell us about the crisis simulations that Aprio Credence conducts?

 

In a crisis simulation we work with client teams to stress-test their reputation risk management decision-making and capabilities using various scenarios. These could include anything from a cyber-attack, executive/employee misconduct, COVID-19 related staff and customer issues, governance irregularities, a racism or sexual harassment issue right through to dealing with fatalities and suicide in the workplace.

 

 We make the simulation as realistic as possible and the process often leads to refinements and ‘tweaks’ to policies, protocols and processes, as these are stress-tested for their practicality and effectiveness in the ‘real world’ operating environment.

 

We precede this with an empowering and thought-provoking learning session where among other topics we explore the global reputation risk landscape and conduct a reputation risk diagnostic for the company. The session, which can now also be conducted virtually, equips the client with practical tools and insights that will enhance their ability to lead the organisation through the different types of reputation risk they could encounter in their respective industries.   

 

To find out more about how Aprio Credence can assist you in preparing and managing a crisis contact Esme Arendse on esme@aprio.co.za or call 082 694 7643.